Junos OS

Hi,

I am just starting out with Juniper and I cannot figure out what I am doing wrong with my Static Nat. I have scowered the internet looking for answers but have found none. I believe everything is correct but it does not work.

Sorry about the config below. I am also trying to get a Site to site VPN setup. I currently have it running but it is VERY slow. The config below is at a colo with a 1gig pipe and the remote office has 100D 5up but I one can transfer 1-2 MBPS when transferring anything from the colo to the remote site. Still working on that issue.

I changed my IP addresses below.

## Last changed: 2016-04-21 02:48:48 UTC
version 12.1X46-D35.1;
system {

}
services {
ssh;
web-management {
http {
interface vlan.10;
}
https {
system-generated-certificate;
interface vlan.10;
}
}
}
}
interfaces {
ge-0/0/0 {
description ISP;
unit 0 {
proxy-arp unrestricted;
family inet {
address 162.16.163.98/28;
}
}
}
ge-0/0/7 {
description "TO Core";
unit 0 {
family ethernet-switching;
}
}
st0 {
unit 0 {
point-to-point;
family inet {
mtu 1350;
address 10.150.1.2/30;
}
}
}
vlan {
unit 10 {
family inet {
address 10.50.1.5/30;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 162.16.163.97;
route 10.101.0.0/16 next-hop 10.50.1.6;
route 10.11.1.0/24 next-hop st0.0;
}
}
security {
ike {
policy ike_pol_VPN {
mode aggressive;
proposal-set compatible;
pre-shared-key ascii-text "$9$jciH.5QnAu1FncylMx7N-VY4ZHkPF69q.p0OBEh"; ## SECRET-DATA
}
gateway gw_VPN {
ike-policy ike_pol_VPN;
address 77.151.9.23;
no-nat-traversal;
external-interface ge-0/0/0.0;
version v1-only;
}
}
ipsec {
policy ipsec_pol_VPN {
perfect-forward-secrecy {
keys group5;
}
proposal-set compatible;
}
vpn VPN {
bind-interface st0.0;
ike {
gateway gw_VPN;
ipsec-policy ipsec_pol_VPN;
}
establish-tunnels immediately;
}
}
flow {
tcp-mss {
all-tcp {
mss 1350;
}
ipsec-vpn {
mss 1350;
}
}
tcp-session {
no-sequence-check;
}
}
screen {
ids-option trust-screen {
alarm-without-drop;
icmp {
flood threshold 1000;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
syn-flood {
alarm-threshold 512;
attack-threshold 200;
source-threshold 4000;
destination-threshold 4000;
timeout 20;
}
land;
winnuke;
}
udp {
flood threshold 1000;
}
limit-session {
source-ip-based 1024;
destination-ip-based 1024;
}
}
ids-option untrust-screen {
alarm-without-drop;
icmp {
ip-sweep threshold 5000;
fragment;
large;
flood threshold 1000;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
stream-option;
source-route-option;
loose-source-route-option;
strict-source-route-option;
tear-drop;
}
tcp {
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 5000;
syn-ack-ack-proxy;
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
winnuke;
}
udp {
flood threshold 2000;
}
limit-session {
source-ip-based 512;
destination-ip-based 512;
}
}
}
nat {
source {
rule-set NAT-TRUST-TO-UNTRUST {
from zone trust;
to zone untrust;
rule PAT-INTERFACE {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool dnat_10_101_3_99m32 {
address 10.101.3.99/32 port 3389;
}
rule-set DEST-NAT {
from zone untrust;
rule WEB-TO-RDP {
match {
destination-address 0.0.0.0/0;
destination-port 3389;
}
then {
destination-nat {
pool {
dnat_10_101_3_99m32;
}
}
}
}
}
}
static {
rule-set static-nat {
from zone untrust;
rule rule1 {
match {
destination-address 162.16.163.104/32;
}
then {
static-nat {
prefix {
10.101.2.65/32;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
162.16.163.99/28;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy permit-trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone untrust to-zone trust {
policy INTERNET-TO-DMZ {
match {
source-address any;
destination-address RDP;
application RDP;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy policy_out_VPN {
match {
source-address addr_10_101_0_0_16;
destination-address addr_10_11_1_0_24;
application any;
}
then {
permit;
}
}
policy policy_in_VPN {
match {
source-address addr_10_11_1_0_24;
destination-address addr_10_101_0_0_16;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone trust {
address-book {
address RDP 10.101.3.99/32;
address addr_10_101_0_0_16 10.101.0.0/16;
address addr_10_11_1_0_24 10.11.1.0/24;
}
screen trust-screen;
host-inbound-traffic {
system-services {
all;
ike;
}
}
interfaces {
vlan.10 {
host-inbound-traffic {
system-services {
all;
}
}
}
st0.0;
}
}
}
}
applications {
application RDP {
protocol tcp;
destination-port 3389;
}
}
vlans {
vlan-trust {
description trust;
vlan-id 10;
interface {
ge-0/0/7.0;
}
l3-interface vlan.10;
}
}

[edit]

Thank you for any help or direction.

Hi !

My quick guess is that you forgot the first-flow sequence, namely...

1. destination NAT

2 route lookup

3 policy evaluation

4 source nat

---> so for the policy evaluation you need to define the translated destination address and the untranslated source address

regards

alexander

ok I think i setup everything correctly but it still does not want to work for me. I am getting translation hits but nothing is working. I am trying to run some traceoptions but I cannot figure out what needs to be set.

Below is my static nat setup and below that is my policy

rule-set MAG-DMZ {
description MAG2600;
from zone untrust;
rule Mag-rul {
match {
source-address 0.0.0.0/0;
destination-address 64.62.163.104/32;
}
then {
static-nat {
prefix {
10.101.2.65/32;
}
}
}
}
}
}

policy Internet-to-Mag {
match {
source-address any;
destination-address MAG-10.101.2.65/32;
application any;
}
then {
permit;
}
}
}

Output of traslation hits

root@FMT-SRX01> show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/0

Static NAT rule: Mag-rul Rule-set: MAG-DMZ
Rule-Id : 2
Rule position : 1
From zone : untrust
Source addresses : 0.0.0.0 - 255.255.255.255
Destination addresses : 16.162.13.104
Host addresses : 10.101.2.65
Netmask : 32
Host routing-instance : N/A
Translation hits : 66
Successful sessions : 4
Number of sessions : 0

root@FMT-SRX01>

I just looked at the initial config, I have not looked at your outputs yet.

Just to verify, you have two different networks set up for proxy-arp. One int the NAT config and the other in the Interface config. Try using only the NAT proxy arp and remove the interface config for proxy-arp and check if the two different nework address are correct.
interfaces {
ge-0/0/0 {
description ISP;
unit 0 {
proxy-arp unrestricted;
family inet {
address 162.16.163.98/28;
}
=========================
then {
static-nat {
prefix {
10.101.2.65/32;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/0.0 {
address {
162.16.163.99/28;

That worked. Thank you so much. Removing "proxy-arp unrestricted;" from the interface worked.